HTTP requests - how secure?

I see on the thread at the link below that you can make HTTP calls to trigger actions or change scenes, etc. Just wondering: if I open that port to the world, is there any security built in? Or can anyone make calls if they see that the port is open?

Referencing: http://wiki.micasaverde.com/index.php/Luup_Requests#lu_action

Thanks!

John

Those [HTTP] URLs are the ones you might [insecurely] use on your Internal Network (LAN). They’re not intended to be exposed, via Firewall port openings, to the Internet…

There are a corresponding set of URLs that work through HTTPS to either cp.mios.com (UI4) or to findvera.com (UI2/UI3). These have both Authentication (AuthN) as well as encryption (SSL) applied, so they’re the safer route for people wanting “external” access to control their MiOS Units.

These latter URLs are also what the Remote Controls (SQRemote, iVera, HomeBuddy, etc) are using when used “outside” the home.

Fantastic! Thanks!

Do you have any documentation on these corresponding HTTPS urls for UI4?

Thanks!

John

See the following post for references on starter-points:

http://forum.micasaverde.com/index.php?topic=4343.msg24905#msg24905

Awesome, I see it now, I like how the https URL is built with the username/pass/unit ID.

Is it safe to assume that all boxes are accessed through fwd2.mios.com?

It’s probably best if you read those documents. There’s a bunch of other information also in the Wiki, so I recommend spending some time catching up on that first.

Thanks, I understand my questions are probably irritating… It just isn’t clear if access to the units is load balanced over multiple ‘fwd’ hosts or if it is only ‘fwd2’.

John

From what I’ve read on the Forums, each MiOS unit connects to one of the FWDx Nodes, but is configured to “failover” to an alternative node if the primary fails.

Presumably the Clients, calling the API’s, would need to do something similar, since there is no HW Load-Balancer fronting the service.

Yeah, I see that now… We can make a call to (http://sta1.mios.com/locator_json.php?username=cpusername) to find out what units the user has access to and what fwdx host they can be accessed through… Then we can confirm the user credentials and make control calls using: (https://fwdX.mios.com/cpusername/cppassword/unitid/data_request?id=lu_alive)

It’s brilliant, I love it :slight_smile: My new project starts tonight :slight_smile:

Thanks for the help!

John

Wow, so you can activate “Require local http authentication” thinking that you are (I understand, it’s not using SSL and not as secure as using mios) locking it down in case, for example, someone finds an easy way on to your wireless network (lost phone/ipod etc). And in reality, by using another port (49451 or 3480) you really don’t require any authentication connecting locally, even though you think you’ve locked down local access.

Curious that I was able to control it locally without authenticating by using those ports. Then tried port 80 and was prompted for user authentication.

I understand that it will keep my kids out, but if someone wanted to break in to the house by opening a z-wave lock… then again it takes less effort and brains to just break a window to get in…

Once more I don’t understand why the vera MUST use those micasaverde servers and does not setup it’s own local HTTPS server in order to let users free to use it as they want regarding an access from Internet. The usage of a foreign server stays a security failure in the system from the user point of vue as we cannot control the security access to our Verazd we want !!!